New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Abp.Sanitizer can cause a model binding validation bypass #6750
Comments
I couldn't be sure if we execute sanitization before validation. |
The easiest way to test this would be to have a dto with a required property and to add the HtmlSanitizerAttribute to the method in the app service that uses the dto for input. The value should be something like If my explanation is not clear, I can also make an example. |
No, it is totally clear. I'm just thinking about this from different angles :) |
Ah ok :P |
More case This output will make the HTML form work incorrectly. |
When using the Abp.Sanitizer package (any version), sanitization happens after validation in the pipeline. Which means that if I have a dto with a
[Required]
property, and also want to sanitize the input, and my input is"<script>test</script>"
, the value after sanitization will be empty. This means that it bypasses the validation.The text was updated successfully, but these errors were encountered: